Package Metadata

Author: msr-central
Email: —
PyPI: artifacts-keyring-nofuss
Python: >=3.10
Versions: 7 releases
First release: 17 Mar 2026, 10:08 UTC
Analysed: 07 Jun 2026, 12:49 UTC
Source files: 14 .py files scanned

Project Links

Classifiers

Development Status :: 4 - BetaIntended Audience :: DevelopersOperating System :: POSIX :: LinuxProgramming Language :: Python :: 3Programming Language :: Python :: 3.10Programming Language :: Python :: 3.11Programming Language :: Python :: 3.12Programming Language :: Python :: 3.13Topic :: Software Development :: Build ToolsTopic :: System :: Systems Administration :: Authentication/Directory

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package exhibits high network and shell execution risks, suggesting potential unauthorized actions. However, lack of obfuscation and credential harvesting patterns, along with insufficient evidence of malice, makes it difficult to conclude a supply-chain attack.

High network risk (7/10)
High shell risk (8/10)

Per-check LLM notes

Network: The network calls suggest the package may be performing external communications, possibly unauthorized actions like fetching tokens or other sensitive information.
Shell: Subprocess execution might indicate the package is invoking external commands, which could potentially be used to perform unauthorized actions on the system.
Obfuscation: No obfuscation patterns detected, indicating low risk.
Credentials: No credential harvesting patterns detected, indicating low risk.
Metadata: The repository not being found and the maintainer having only one package suggest potential risks, but there's insufficient evidence to conclusively determine malice.

📦 Package Quality Overall: Low (4.2/10)

◈ Medium Test Suite 6.0

Partial test coverage signals detected

1 test file(s) detected (e.g. test_backend.py)

◈ Medium Documentation 5.0

Some documentation present

Detailed PyPI description (9098 chars)

○ Low Contributing Guide 4.0

No contributing guide or governance files found

Development Status classifier >= Beta

◈ Medium Type Annotations 5.0

Partial type annotation coverage

73 type-annotated function signatures detected in source

○ Low Multiple Contributors 1.0

Could not retrieve contributor data from GitHub

GitHub API error: 404

🔬 Heuristic Checks

⚠ Outbound Network Calls score 4.5

Found 3 network call pattern(s)

vice) try: resp = requests.get(clean_url, allow_redirects=False, timeout=10) except req
} try: resp = requests.post( url, json={ "scope"
try: resp = requests.post( url, data={

✓ Code Obfuscation

No obfuscation patterns detected

⚠ Shell / Subprocess Execution score 6.0

Found 3 shell execution pattern(s)

try: result = subprocess.run( [str(_HELPER_PATH), "get-access-token"],
""" try: result = subprocess.run( [_AZ_EXE, "account", "show", "--query", "user.n
try: result = subprocess.run( [ _AZ_EXE,

✓ Credential Harvesting

No credential harvesting patterns detected

✓ Typosquatting

No typosquatting candidates detected

✓ Registered Email Domain

No author email provided

✓ Suspicious Page Links

All external links appear legitimate

⚠ Git Repository History score 3.0

Repository not found (deleted or private)

Repository not found (deleted or private)

⚠ Maintainer History score 2.0

1 maintainer concern(s) found

Author "msr-central" appears to have only 1 package on PyPI (new or inactive account)

✓ Known CVE Vulnerabilities

No known vulnerabilities found in OSV database.

💡 AI App Starter Prompt

Use this prompt to build a project with artifacts-keyring-nofuss

Create a Python-based utility named 'ArtiKeyManager' that simplifies the management of secrets stored in Azure DevOps Artifacts feeds using the 'artifacts-keyring-nofuss' package. This utility should allow users to store, retrieve, and delete secrets securely from their Azure DevOps Artifacts feed without needing to manage complex configurations. Here are the steps and features your application should include:

1. **Setup**: Ensure your application starts by setting up an Azure DevOps Artifacts feed URL and personal access token (PAT) as required inputs. Use the 'artifacts-keyring-nofuss' package to initialize the keyring backend with these credentials.
2. **Store Secrets**: Implement a feature where users can input a secret (e.g., API keys, passwords) along with a label or name to uniquely identify it. The utility should then store this secret in the Azure DevOps Artifacts feed using the 'artifacts-keyring-nofuss' package.
3. **Retrieve Secrets**: Provide functionality for users to retrieve a secret based on its unique identifier or label. The utility should fetch the secret from the feed and display it to the user.
4. **Delete Secrets**: Include a feature allowing users to delete a secret from the feed by providing its identifier or label. Ensure this operation is irreversible within the utility.
5. **Security Measures**: Since handling secrets is sensitive, ensure all interactions with the feed are secure. Use HTTPS and validate the connection to the feed before performing any operations.
6. **User Interface**: Design a simple command-line interface (CLI) for interacting with the utility. Commands should be intuitive and clearly documented.
7. **Error Handling**: Implement robust error handling to manage cases such as invalid inputs, connection failures, or authentication issues. Provide meaningful error messages to guide users.
8. **Documentation**: Alongside the code, create comprehensive documentation explaining how to install and use the utility. Include examples of common use cases.

By following these guidelines, you'll develop a practical tool that leverages the 'artifacts-keyring-nofuss' package to make managing secrets in Azure DevOps Artifacts feeds more accessible and secure.

💬 Discussion Feed

No discussion yet. Be the first to share your thoughts!

🤖 AI Analysis

📦 Package Quality Overall: Low (4.2/10)

🔬 Heuristic Checks

💡 AI App Starter Prompt

💬 Discussion Feed

Leave a comment

Report Abuse / Security Issue